← Back

CVE-2026-41699

nvd nist
Published: Jun 11, 2026Modified: Jun 12, 2026

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8.

Affected (3)

Vmware
1 product
Spring For Graphql
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Vmware
Spring For Graphql
From 1.3.0 to 1.3.9
Spring For Graphql
From 1.4.0 to 1.4.6
Spring For Graphql
From 2.0.0 to 2.0.4

Related CWEs

CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (1)

Source: security@vmware.com
Vendor Advisory

Timeline

No history available yet.